Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Requires a pre-compromised renderer (PR:H) and chaining plus user interaction (AC:H, UI:R); successful escape crosses the sandbox boundary (S:C) with total impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionNVD
Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
AnalysisAI
Sandbox escape in Google Chrome's Skia graphics engine (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, achieving high-impact code execution across the security boundary (scope change). Rated Critical by Chromium and CVSS 9.6, but no public exploit is identified at time of analysis and EPSS is low (0.22%, 13th percentile). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker has ALREADY compromised the Chrome renderer process - this is a second-stage sandbox-escape primitive, not a standalone remote-code-execution bug. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A victim visits a malicious or compromised web page that first exploits a separate renderer-level bug to run attacker code inside Chrome's sandboxed renderer, then serves crafted HTML/graphics content that feeds malformed input to Skia to escape the sandbox and execute code in a higher-privileged browser process. No public proof-of-concept is identified at time of analysis, and successful attack requires chaining with a prior renderer compromise plus user interaction (UI:R) to load the page. |
| Remediation | Vendor-released patch: update Google Chrome to 150.0.7871.47 or later per the Chrome Stable channel advisory (https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html); Chrome normally auto-updates, so verify via chrome://settings/help and relaunch to apply the fix, and push the update through your enterprise management (GPO/MDM/admx) to ensure fleet-wide deployment. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Chrome deployments across the organization and identify instances running pre-150.0.7871.47 versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| SUSE Package Hub 15 SP7 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Package Hub 15 SP7 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40467
GHSA-q267-54c8-8vcg